| // Copyright 2020 Google LLC |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| syntax = "proto3"; |
| |
| package tink_testing_api; |
| |
| import "google/protobuf/duration.proto"; |
| import "google/protobuf/timestamp.proto"; |
| import "google/protobuf/wrappers.proto"; |
| |
| option java_package = "com.google.crypto.tink.testing.proto"; |
| option java_multiple_files = true; |
| option go_package = "github.com/google/tink/testing/go/proto/testing_api_go_proto"; |
| // Placeholder for java_stubby_library |
| |
| // Service providing metadata about the server. |
| service Metadata { |
| // Returns some server information. A test may use this information to verify |
| // that it is talking to the right server. |
| rpc GetServerInfo(ServerInfoRequest) returns (ServerInfoResponse) {} |
| } |
| |
| message ServerInfoRequest {} |
| |
| message ServerInfoResponse { |
| string tink_version = 1; // For example '1.4' |
| string language = 2; // For example 'cc', 'java', 'go' or 'python'. |
| } |
| |
| // Service for Keyset operations. |
| service Keyset { |
| // Generates a key template from a key template name. |
| rpc GetTemplate(KeysetTemplateRequest) returns (KeysetTemplateResponse) {} |
| // Generates a new keyset from a template. |
| rpc Generate(KeysetGenerateRequest) returns (KeysetGenerateResponse) {} |
| // Generates a public-key keyset from a private-key keyset. |
| rpc Public(KeysetPublicRequest) returns (KeysetPublicResponse) {} |
| // Converts a Keyset from Binary to Json Format |
| rpc ToJson(KeysetToJsonRequest) returns (KeysetToJsonResponse) {} |
| // Converts a Keyset from Json to Binary Format |
| rpc FromJson(KeysetFromJsonRequest) returns (KeysetFromJsonResponse) {} |
| // Reads an encrypted keyset using KeysetHandle.read() or |
| // KeysetHandle.readWithAssociatedData() and the BinaryKeysetReader. |
| rpc ReadEncrypted(KeysetReadEncryptedRequest) |
| returns (KeysetReadEncryptedResponse) {} |
| // Writes an encrypted keyset using KeysetHandle.write() or |
| // KeysetHandle.writeWithAssociatedData() and the BinaryKeysetWriter. |
| rpc WriteEncrypted(KeysetWriteEncryptedRequest) |
| returns (KeysetWriteEncryptedResponse) {} |
| } |
| |
| message KeysetTemplateRequest { |
| string template_name = 1; // template name used by Tinkey |
| } |
| |
| message KeysetTemplateResponse { |
| oneof result { |
| bytes key_template = 1; // serialized google.crypto.tink.KeyTemplate. |
| string err = 2; |
| } |
| } |
| |
| message KeysetGenerateRequest { |
| bytes template = 1; // serialized google.crypto.tink.KeyTemplate. |
| } |
| |
| message KeysetGenerateResponse { |
| oneof result { |
| bytes keyset = 1; // serialized google.crypto.tink.Keyset. |
| string err = 2; |
| } |
| } |
| |
| message KeysetPublicRequest { |
| bytes private_keyset = 1; // serialized google.crypto.tink.Keyset. |
| } |
| |
| message KeysetPublicResponse { |
| oneof result { |
| bytes public_keyset = 1; // serialized google.crypto.tink.Keyset. |
| string err = 2; |
| } |
| } |
| |
| message KeysetToJsonRequest { |
| bytes keyset = 1; // serialized google.crypto.tink.Keyset. |
| } |
| |
| message KeysetToJsonResponse { |
| oneof result { |
| string json_keyset = 1; |
| string err = 2; |
| } |
| } |
| |
| message KeysetFromJsonRequest { |
| string json_keyset = 1; |
| } |
| |
| message KeysetFromJsonResponse { |
| oneof result { |
| bytes keyset = 1; // serialized google.crypto.tink.Keyset. |
| string err = 2; |
| } |
| } |
| |
| // Copy of google.protobuf.BytesValue |
| message BytesValue { |
| // The bytes value. |
| bytes value = 1; |
| } |
| |
| enum KeysetReaderType { |
| KEYSET_READER_UNKNOWN = 0; |
| KEYSET_READER_BINARY = 1; |
| KEYSET_READER_JSON = 2; |
| } |
| |
| message KeysetReadEncryptedRequest { |
| bytes encrypted_keyset = 1; |
| bytes master_keyset = 2; // serialized google.crypto.tink.Keyset. |
| BytesValue associated_data = 3; |
| KeysetReaderType keyset_reader_type = 4; |
| } |
| |
| message KeysetReadEncryptedResponse { |
| oneof result { |
| bytes keyset = 1; // serialized google.crypto.tink.Keyset. |
| string err = 2; |
| } |
| } |
| |
| enum KeysetWriterType { |
| KEYSET_WRITER_UNKNOWN = 0; |
| KEYSET_WRITER_BINARY = 1; |
| KEYSET_WRITER_JSON = 2; |
| } |
| |
| message KeysetWriteEncryptedRequest { |
| bytes keyset = 1; // serialized google.crypto.tink.Keyset. |
| bytes master_keyset = 2; // serialized google.crypto.tink.Keyset. |
| BytesValue associated_data = 3; |
| KeysetWriterType keyset_writer_type = 4; |
| } |
| |
| message KeysetWriteEncryptedResponse { |
| oneof result { |
| bytes encrypted_keyset = 1; |
| string err = 2; |
| } |
| } |
| |
| message AnnotatedKeyset { |
| bytes serialized_keyset = 1; // serialized google.crypto.tink.Keyset. |
| map<string, string> annotations = 2; |
| } |
| |
| message CreationRequest { |
| AnnotatedKeyset annotated_keyset = 1; |
| } |
| |
| message CreationResponse { |
| // Empty means no error |
| string err = 1; |
| } |
| |
| // Service for AEAD encryption and decryption |
| service Aead { |
| // Creates an Aead object without using it. |
| rpc Create(CreationRequest) returns (CreationResponse) {} |
| // Encrypts a plaintext with the provided keyset. The client must call |
| // "Create" first to see if creation succeeds before calling this. |
| rpc Encrypt(AeadEncryptRequest) returns (AeadEncryptResponse) {} |
| // Decrypts a ciphertext with the provided keyset. The client must call |
| // "Create" first to see if creation succeeds before calling this. |
| rpc Decrypt(AeadDecryptRequest) returns (AeadDecryptResponse) {} |
| } |
| |
| message AeadEncryptRequest { |
| AnnotatedKeyset annotated_keyset = 1; |
| bytes plaintext = 2; |
| bytes associated_data = 3; |
| } |
| |
| message AeadEncryptResponse { |
| oneof result { |
| bytes ciphertext = 1; |
| string err = 2; |
| } |
| } |
| |
| message AeadDecryptRequest { |
| AnnotatedKeyset annotated_keyset = 1; |
| bytes ciphertext = 2; |
| bytes associated_data = 3; |
| } |
| |
| message AeadDecryptResponse { |
| oneof result { |
| bytes plaintext = 1; |
| string err = 2; |
| } |
| } |
| |
| // Service for Deterministic AEAD encryption and decryption |
| service DeterministicAead { |
| // Creates a Deterministic AEAD object without using it. |
| rpc Create(CreationRequest) returns (CreationResponse) {} |
| // Encrypts a plaintext with the provided keyset. The client must call |
| // "Create" first to see if creation succeeds before calling |
| // this. |
| rpc EncryptDeterministically(DeterministicAeadEncryptRequest) |
| returns (DeterministicAeadEncryptResponse) {} |
| // Decrypts a ciphertext with the provided keyset. The client must call |
| // "Create" first to see if creation succeeds before calling |
| // this. |
| rpc DecryptDeterministically(DeterministicAeadDecryptRequest) |
| returns (DeterministicAeadDecryptResponse) {} |
| } |
| |
| message DeterministicAeadEncryptRequest { |
| AnnotatedKeyset annotated_keyset = 1; |
| bytes plaintext = 2; |
| bytes associated_data = 3; |
| } |
| |
| message DeterministicAeadEncryptResponse { |
| oneof result { |
| bytes ciphertext = 1; |
| string err = 2; |
| } |
| } |
| |
| message DeterministicAeadDecryptRequest { |
| AnnotatedKeyset annotated_keyset = 1; |
| bytes ciphertext = 2; |
| bytes associated_data = 3; |
| } |
| |
| message DeterministicAeadDecryptResponse { |
| oneof result { |
| bytes plaintext = 1; |
| string err = 2; |
| } |
| } |
| |
| // Service for Streaming AEAD encryption and decryption |
| service StreamingAead { |
| // Creates a StreamingAead object without using it. |
| rpc Create(CreationRequest) returns (CreationResponse) {} |
| |
| // Encrypts a plaintext with the provided keyset. The client must call |
| // "Create" first to see if creation succeeds before calling this. |
| rpc Encrypt(StreamingAeadEncryptRequest) |
| returns (StreamingAeadEncryptResponse) {} |
| // Decrypts a ciphertext with the provided keyset. The client must call |
| // "Create" first to see if creation succeeds before calling this. |
| rpc Decrypt(StreamingAeadDecryptRequest) |
| returns (StreamingAeadDecryptResponse) {} |
| } |
| |
| message StreamingAeadEncryptRequest { |
| AnnotatedKeyset annotated_keyset = 1; |
| bytes plaintext = 2; |
| bytes associated_data = 3; |
| } |
| |
| message StreamingAeadEncryptResponse { |
| oneof result { |
| bytes ciphertext = 1; |
| string err = 2; |
| } |
| } |
| |
| message StreamingAeadDecryptRequest { |
| AnnotatedKeyset annotated_keyset = 1; |
| bytes ciphertext = 2; |
| bytes associated_data = 3; |
| } |
| |
| message StreamingAeadDecryptResponse { |
| oneof result { |
| bytes plaintext = 1; |
| string err = 2; |
| } |
| } |
| |
| // Service to compute and verify MACs |
| service Mac { |
| // Creates a Mac object without using it. |
| rpc Create(CreationRequest) returns (CreationResponse) {} |
| // Computes a MAC for given data. The client must call "Create" first to see |
| // if creation succeeds before calling this. |
| rpc ComputeMac(ComputeMacRequest) returns (ComputeMacResponse) {} |
| // Verifies the validity of the MAC value, no error means success. The client |
| // must call "Create" first to see if creation succeeds before calling this. |
| rpc VerifyMac(VerifyMacRequest) returns (VerifyMacResponse) {} |
| } |
| |
| message ComputeMacRequest { |
| AnnotatedKeyset annotated_keyset = 1; |
| bytes data = 2; |
| } |
| |
| message ComputeMacResponse { |
| oneof result { |
| bytes mac_value = 1; |
| string err = 2; |
| } |
| } |
| |
| message VerifyMacRequest { |
| AnnotatedKeyset annotated_keyset = 1; |
| bytes mac_value = 2; |
| bytes data = 3; |
| } |
| |
| message VerifyMacResponse { |
| string err = 1; |
| } |
| |
| // Service to hybrid encrypt and decrypt |
| service Hybrid { |
| // Creates a HybridEncrypt object without using it. |
| rpc CreateHybridEncrypt(CreationRequest) returns (CreationResponse) {} |
| // Creates a HybridDecrypt object without using it. |
| rpc CreateHybridDecrypt(CreationRequest) returns (CreationResponse) {} |
| |
| // Encrypts plaintext binding context_info to the resulting ciphertext. The |
| // client must call "CreateHybridEncrypt" first to see if creation succeeds |
| // before calling this. |
| rpc Encrypt(HybridEncryptRequest) returns (HybridEncryptResponse) {} |
| // Decrypts ciphertext verifying the integrity of context_info. The client |
| // must call "CreateHybridDecrypt" first to see if creation succeeds before |
| // calling this. |
| rpc Decrypt(HybridDecryptRequest) returns (HybridDecryptResponse) {} |
| } |
| |
| message HybridEncryptRequest { |
| AnnotatedKeyset public_annotated_keyset = 1; |
| bytes plaintext = 2; |
| bytes context_info = 3; |
| } |
| |
| message HybridEncryptResponse { |
| oneof result { |
| bytes ciphertext = 1; |
| string err = 2; |
| } |
| } |
| |
| message HybridDecryptRequest { |
| AnnotatedKeyset private_annotated_keyset = 1; |
| bytes ciphertext = 2; |
| bytes context_info = 3; |
| } |
| |
| message HybridDecryptResponse { |
| oneof result { |
| bytes plaintext = 1; |
| string err = 2; |
| } |
| } |
| |
| // Service to sign and verify signatures. |
| service Signature { |
| // Creates a PublicKeySign object without using it. |
| rpc CreatePublicKeySign(CreationRequest) returns (CreationResponse) {} |
| // Creates a PublicKeyVerify object without using it. |
| rpc CreatePublicKeyVerify(CreationRequest) returns (CreationResponse) {} |
| |
| // Computes the signature for data. The client must call "CreatePublicKeySign" |
| // first to see if creation succeeds before calling this. |
| rpc Sign(SignatureSignRequest) returns (SignatureSignResponse) {} |
| // Verifies that signature is a digital signature for data. The client must |
| // call "CreatePublicKeyVerify" first to see if creation succeeds before |
| // calling this. |
| rpc Verify(SignatureVerifyRequest) returns (SignatureVerifyResponse) {} |
| } |
| |
| message SignatureSignRequest { |
| AnnotatedKeyset private_annotated_keyset = 1; |
| bytes data = 2; |
| } |
| |
| message SignatureSignResponse { |
| oneof result { |
| bytes signature = 1; |
| string err = 2; |
| } |
| } |
| |
| message SignatureVerifyRequest { |
| AnnotatedKeyset public_annotated_keyset = 1; |
| bytes signature = 2; |
| bytes data = 3; |
| } |
| |
| message SignatureVerifyResponse { |
| string err = 1; |
| } |
| |
| // Service for PrfSet computation |
| service PrfSet { |
| // Creates a PrfSet object without using it. |
| rpc Create(CreationRequest) returns (CreationResponse) {} |
| |
| // Returns the key ids and the primary key id in the keyset.The client must |
| // call "Create" first to see if creation succeeds before calling this. |
| rpc KeyIds(PrfSetKeyIdsRequest) returns (PrfSetKeyIdsResponse) {} |
| // Computes the output of the PRF with the given key_id in the PrfSet.The |
| // client must call "Create" first to see if creation succeeds before calling |
| // this. |
| rpc Compute(PrfSetComputeRequest) returns (PrfSetComputeResponse) {} |
| } |
| |
| message PrfSetKeyIdsRequest { |
| AnnotatedKeyset annotated_keyset = 1; |
| } |
| |
| message PrfSetKeyIdsResponse { |
| message Output { |
| uint32 primary_key_id = 1; |
| repeated uint32 key_id = 2; |
| } |
| oneof result { |
| Output output = 1; |
| string err = 2; |
| } |
| } |
| |
| message PrfSetComputeRequest { |
| AnnotatedKeyset annotated_keyset = 1; |
| uint32 key_id = 2; |
| bytes input_data = 3; |
| int32 output_length = 4; |
| } |
| |
| message PrfSetComputeResponse { |
| oneof result { |
| bytes output = 1; |
| string err = 2; |
| } |
| } |
| |
| // Service for JSON Web Tokens (JWT) |
| service Jwt { |
| // Creates a JwtMac object without using it. |
| rpc CreateJwtMac(CreationRequest) returns (CreationResponse) {} |
| // Creates a JwtPublicKeySign object without using it. |
| rpc CreateJwtPublicKeySign(CreationRequest) returns (CreationResponse) {} |
| // Creates a JwtPublicKeyVerify object without using it. |
| rpc CreateJwtPublicKeyVerify(CreationRequest) returns (CreationResponse) {} |
| |
| // Computes a signed compact JWT token. |
| rpc ComputeMacAndEncode(JwtSignRequest) returns (JwtSignResponse) {} |
| // Verifies the validity of the signed compact JWT token |
| rpc VerifyMacAndDecode(JwtVerifyRequest) returns (JwtVerifyResponse) {} |
| // Computes a signed compact JWT token. |
| rpc PublicKeySignAndEncode(JwtSignRequest) returns (JwtSignResponse) {} |
| // Verifies the validity of the signed compact JWT token |
| rpc PublicKeyVerifyAndDecode(JwtVerifyRequest) returns (JwtVerifyResponse) {} |
| // Converts a Keyset from Tink Binary to JWK Set Format |
| rpc ToJwkSet(JwtToJwkSetRequest) returns (JwtToJwkSetResponse) {} |
| // Converts a Keyset from JWK Set to Tink Binary Format |
| rpc FromJwkSet(JwtFromJwkSetRequest) returns (JwtFromJwkSetResponse) {} |
| } |
| |
| // Used to represent the JSON null value. |
| enum NullValue { |
| NULL_VALUE = 0; |
| } |
| |
| message JwtClaimValue { |
| oneof kind { |
| NullValue null_value = 2; |
| double number_value = 3; |
| string string_value = 4; |
| bool bool_value = 5; |
| string json_object_value = 6; |
| string json_array_value = 7; |
| } |
| } |
| |
| message JwtToken { |
| google.protobuf.StringValue issuer = 1; |
| google.protobuf.StringValue subject = 2; |
| repeated string audiences = 3; |
| google.protobuf.StringValue jwt_id = 4; |
| google.protobuf.Timestamp expiration = 5; |
| google.protobuf.Timestamp not_before = 6; |
| google.protobuf.Timestamp issued_at = 7; |
| map<string, JwtClaimValue> custom_claims = 8; |
| google.protobuf.StringValue type_header = 9; |
| } |
| |
| message JwtValidator { |
| google.protobuf.StringValue expected_type_header = 7; |
| google.protobuf.StringValue expected_issuer = 1; |
| google.protobuf.StringValue expected_audience = 3; |
| bool ignore_type_header = 8; |
| bool ignore_issuer = 9; |
| bool ignore_audience = 11; |
| bool allow_missing_expiration = 12; |
| bool expect_issued_in_the_past = 13; |
| google.protobuf.Timestamp now = 5; |
| google.protobuf.Duration clock_skew = 6; |
| } |
| |
| message JwtSignRequest { |
| AnnotatedKeyset annotated_keyset = 1; |
| JwtToken raw_jwt = 2; |
| } |
| |
| message JwtSignResponse { |
| oneof result { |
| string signed_compact_jwt = 1; |
| string err = 2; |
| } |
| } |
| |
| message JwtVerifyRequest { |
| AnnotatedKeyset annotated_keyset = 1; |
| string signed_compact_jwt = 2; |
| JwtValidator validator = 3; |
| } |
| |
| message JwtVerifyResponse { |
| oneof result { |
| JwtToken verified_jwt = 1; |
| string err = 2; |
| } |
| } |
| |
| message JwtToJwkSetRequest { |
| bytes keyset = 1; // serialized google.crypto.tink.Keyset. |
| } |
| |
| message JwtToJwkSetResponse { |
| oneof result { |
| string jwk_set = 1; |
| string err = 2; |
| } |
| } |
| |
| message JwtFromJwkSetRequest { |
| string jwk_set = 1; |
| } |
| |
| message JwtFromJwkSetResponse { |
| oneof result { |
| bytes keyset = 1; // serialized google.crypto.tink.Keyset. |
| string err = 2; |
| } |
| } |
